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IMPROVEMENTS RELATING TO SECURITY 

This invention relates to an improved method ot increasing t^ie secuiny oi 
5 a computer system especially a networked system, together with a 
computer security apparatus, a secure network, softwarit adapted to 
provide security, and a software carrier. : 

jf is weU kDown to hold data on a computer system to whic^ it is desired 
10 to restrict access. Further, there are various known techniqies which can 
be used to ensure that only people. cHents. entitled to access the data can 
actually do so. However, computer hacking is weU kijown and the 
computer systems holding such data need to be designc^ so that the 
system is as secure as possible, that is there are no security loop holes 
15 which can be exploited by potential hackers. 

i 

One area where security is important is Internet networked systems. One 
Internet problem is controlling individual and group accessirights to web 
pages on a web server. 

20 ' / ^ 

The Intemet/web page prior art system is the secure socket layer (SSL) 

which uses public key cryptographic technology to authenticate clients and 
then encrypts subsequent comnnmications . allowing cHdats to access 
directories and web pages that require presentation of a vjuid certificate 
25 (e.g. their X.509 Certificate). 1 

: ^However, this tedmique does not provide for varying lev^s of access: a 



client can either access the data or they cannot. Further. SSL involves a 
complex handshake and employs encryption techniques |hat lead to a 
30 major performance degradation. Encryption prevents file cpmpression for 



I 
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2 

telecommunication transmission. Therefore encrypted files 1 have to be 
transmitted in uncompressed form, ^idch clearly requires a greater 

1 

b?.r>rf'«»^'i"'?th. and /or takes Ion per. : 

5 The encryption also prevents content filtering, e.g. at company firewalls, 
where there is a desire to block browsing of inappropriate material and/or 
to screen for malicious code, such as computer viruses. 



Ac.c.oTdtT>n to 8 first aspect of the invention there is provide^ a method of 
securing data held on a computer network comprising labelling daiasets oi 
sections with an access level, determining the access level to| which a user 
or client wishing to access the data is allowed to access and after 
determining the cUenfs identity aUowing the client access only to datasets 
or sections which have an appropriate access level. 



An advantage of such method is that it is simpler to implement and easier 
to maintain than prior art systems. In prior art systems (suph as the SSI- 
system) it has previously been known to note on each data section the 
identity of clients who are entitled to access that data section and allow 
20 only those cUcnts access rights. Therefore, should thd rights of a 
particular client alter (for example a client may leave the employment of a 
company) it would be necessary to access each dataset or section of a 
database and alter the reference as necessary for that par^cular client. 
Clearly, if there are a large number of data sections t$is is a time 
25 consuming process which is not required in the invention acpording to the 
present invention. 

The computer network may comprise the Internet. Use of ^he Internet is 
convenient because it is a readily available network which is generally 
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easily accessible. However, the skilled person will appreUate that any 
network is suitable (any LAN. or WAN may also be suitable^. 

i 

In particular, the method may make use of the world wide 



web. In such 
or more web 



an implementation the datasets/sections may comprise one = 
page and the access level may determine whether or not the particular web 
page can be viewed. Such a method is advantageous because allows the 
datasets/sections to be readily accessed and uses well known! technology. 



10 The access levels, or dataset labels, may be provided asjtags. such as 
meta tags, within the HTML code of a particular web page providing a 
simple and efficient way of noting the access level. j 

i 
I 

The method may comprise using standard access software p^vidcd for the 
15. network being used in addition to specific software for j providing the 
method. The standard access software may comprise a webjbrowser and a 
web server. The skilled person will appreciate that such dccess software 
is well known and is readily available. Using such standard software may 
make the method easier to implement than if specific abc^s components 

i 

20 were required. ! 

Conveniently, the specific software for providing thcj method may 
communicate with standard access software already provided, providing a 
simple architecture for the method. In particular, the specific software 
25 may provide proxy servers with specific network addr^ses. To use 
standard access software to access the data it may be necessary for the 
standard access software to address the proxy servers, thus providing a 
convenient way of controlling how the standard access software functions. 
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A first, user, proxy server may be provided in associaion with the 
specific software used to access the data. The first proxy se^rver may run 

= > -vr, <-Ti?rlf^r poft^'arp ('■a'hir.b Tnbv be a web 
browser), or may be provided remotely of the computer. 

i 

Further, a second, access controUer. proxy server may be provided in 
association with the data. The second proxy server may ru^ on the same 
computer as the computer storing the data, or perhaps morel preferably it 
mEy run ou a cortrjputer remote from the computer holding fee date. The 
data may comprise a collection of web pages managed by a web server. It 
is preferable that the second proxy server runs remote fromi the computer 
holding the data to enhance the security of the system, j If the proxy 
server and the data (possibly a web server) run on the same computer 
security loop holes in the software managing the data co^d allow the 
15 proxy server to be by-passed, whereas if the proxy server is jprovided on a 
separate server/computer the second, access controller, proi^y server will 
only be vulnerable to loop holes in itself. Web servers may- be thought of 
as software managing the data and are generally complex programs and it 
is thus hard to ensure that they are tree of loop holes which may aUow 
20 people by-pass them. j 

The method may aUow cUents without the necessary specific access 
software to access datasets/sections. Preferably. cUent^ without the 
specific access software are assigned a predetermined accejss level which 
in general may be the lowest access level granting suchj a cUent only 
ypj«4w»MTM access to the data. 



( 



The method may make use of the challenge response techijique to verify 
the identity of the client wishing to access the data. This i^ a well known 
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and tested technique. The cUent may need to provide an appropriate 
response to a challenge before each data section is provided ^ the client. 

f 

Conveniently the method initially comprises the cHent passing a request 
for data across the computer network. This request for 4ata may then 
provoke a challenge from the network to which the client inust make an 
appropriate response in order to verify their identity. Once the identity of 
the client has been confirmed the method may comprise the step of 
ohecW«E Whether th. client baf the necessarj- access level to receive the 
data they have requested. Checking of the access level held by-the client 
may be achieved by looking up an entry held on the comput^ network for 
that particular client. Once the access level assigned to jlhe cUent has 
been determined it may be compared to the access level held on the 
requested data section. If the cUent has an appropriate acdess level then 
15 the requested data section may be passed to the client. If tife access level 
assigned is not appropriate then access may be denied. 

j 
i 

The identity of the client may be verified using a certificake held by the 
client. Generally, the certiTicate is obtained from a^ independent 
standards authority and has associated with it a pubUc andj a private key 
which can be used to determine the identity of a clicnj presenting a 
particular certificate. The skilled person will apprec^te that such 
techniques are well known. In one embodiment an X.50^ certificate is 
used to veri^ the identity of the client. 



25 



30 



3 

The certificate may identify the client to whom it belongs ^t a number of 
different levels and each level may be a subset of previoijs level. Each 
level may provide a specific level of access to the data. T|ie access level 
associated with known level may be held on the computer network, and is 
preferably associated with the second proxy server. Prefeikbly the access 
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levels are beld within a look up table, auld once the identity! of the client 
has been verified the access levels can be determined. 

Preferably, the method comprises sending data section^ across the 
computer network in an „n-encrypted form. This allows the data to be 
compressed for transmission, with the advantages this brings (e.g. speed 
of transmission, reduced bandwidth reqmrement etc.). : Transmitting 
unencrypted data is also advantageous because it allows the content of the 
dat. to be screened. Should the rrethod be .pplied across the Internet 
users rutming the system may want to screen the data sections to ensure 
that the internet is being used appropriately and / or may beito ensure that 
no maUcious code (such as viruses) is inadvertenUy being, copied on to 
computers runmr^ the method. Further, using unencrypted^ data does not 
deteriorate performance of the system by an unnecessar3| exchange of 
session keys with the result that data transfer is likely to Ije quicker and 
more efficient than methods using encryption. j 

I 

Conveniently the method comprises allowing a client witih a particul^ 
access level to access any datasets at that access level or below that access 
level Therefore, if a cUent has access to datasets at the ihighest access 
level they would be able to access all datasets held onj the computer 
system. 

i 

The m«hod n«y be ^iiObl^ to «, computer n«work thi. con,«ns deta 
25 wUch It U d«ired » xertrte. «=ce.s. ParUculT examples ^here i. m.y be 
^TUcaMeta<Sl«deliimtaiy.financ:.J. healthcare, etc. . 

,o a second asp«» of the invention there ju provided a 
computer .yatem having a «ore for holding data, .he dat* being d.v.ded 
30 into a c«nber of dataae«. or .ecUons. each datase^jsecUon havmg 
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7 1 
associated with it an access level, and access determining ineans adapted 
to determine whether a client can access data at a particular iccess level. 

I 
I 

Preferably the data store is held on a first computer aj^d the access 
5 determining means is held on a second computer remote from the first. 
This is advantageous because it increases the security of thp data held in. 
the data store. If the access determining means and the data store are 
provided on the same computer it is possible that securilty loop holes 
exploited ir:. software running on that computer may allow the access 

10 determining means to be by-passed- ■ 

■j 

ConvenienUy the computer system allows access to the d^ta via a third 
computer which is connected to the secoxul computer and most preferably 
there is no link between the first and third computers; Again this 
15 structure increases the security of the system since there is no physical 
link provided which allows the second computer to be by-passed. 

i 

The third computer may be provided with an input means which allows a 
client using the third computer to input their identity. Tlje input means 
20 may be adapted to communicate the identity to the access determining 
ineans allowing, in use, the access determining meansj to determine 
whether that particular client can access data held on the data store. 

I 

! 

An identification verification means may be provided and is preferably 
25 provided in association with the access determining Imeans. Hie 
identification verification means may be adapted, in usej to verify the 
identity of a client using the system. The access determining means is 
preferably adapted to allow access to the data only once th^ identity of the 
client has been verified. : 



30 
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8 i 
The identification verification means may be further adapteci to ascertain 
the level of access granted to that particular client. The identification 
..^.c^^PTjnr jnpnnr tnfv he adapted to pass level of access granted to the 
client to the access determining means. The access deteri^ining means 
may be adapted to allow the client access only to data sections which that 
client has clearance to access. 

! 

According to another aspect, the invention comprises a n«work access 
contrcDeT corr.prisinf b comparator which is adapted to compare 8 label 
representative of a dalaset and a label representative of a! user, and lo 
determine from the comparison whether the user is authorised to have 
access to the dataset. tiixe comparator being adapted to comx|iumcate with 
access control means adapted to allow or deny a user access jto the dataset 
dependent upon the commonication from the comparator. 

1 

I 

preferably, the comparator is adapted to compare a nujperical value 
associated with the dataset label with a numerical value associated with 
the user. Preferably, the numerical values are binary values^. Preferably, 
the comparator uses one or more simple binary logic operations, such as 
"or**, 'and", "nand". "nor", to make the comparison. ] 



Preferably, the network access controller has an access control directory 
having a concordance between user identities and user lab^s. This may 
comprise a region of memory. There may also be provided in the 
25 comparator (or provided external of the comparator, for iexample at a 
database server), a registry of concordance between dataset j identities and 
dataset labels. 



i 

i 
I 
I 
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The network access co-troller may comprise a computer or Iserver. The 
computer may look up a user label and a dataset label and; perform the 

, , , ,,-vrt*5-r r.rrrrr 5r to he denied or gratited. 



in a separate 
The network 



The network access controller may be adapted to be provided: 
server from that which contains the database of datasets 
access controller may be provided in a separate server from t^at which the 
user. uses to access the database. | 

According to another aspect the invention comprises k method of 
controlling network access to a database held on a database server and 
having a plurality of datasets. the method comprising allocating each 
potentiaUy accessible dataset - a dataset label, allocating f. user a user 
label, and comprising the dataset label and user label jto determine 
15 whether the usra- can access the dataset. ' 

The method preferably comprises providing an access controller which 
controls access to the database, and providing the user labelk in tbe access 
controller. Each allowable user may have a label associated with them. 

20 but a "user- could be an anonymous user that otherwise unidentified users 
may be able to use. The system may allocate unidentifiabte users as the 
"anonymous user" or they may have to sign it to the acipess controller 
using an anonymous user address/code. The user labels pre preferably 
bierarchal. with higher security clearance user labels doiiiinating lower 

25 level security user labels and providing access to datasets of equal or 
lower security level or value. Preferably the method comprises providing 
an access control server, and a database server. Th^ method may 
comprise providing the access control server and running the access 
control software on that server, and not the database server^ 



30 
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Preferably the method comprises unencrypted transfer of data from 
datasets for which access is granted to a user. ' 

Preferably the method comprises running checking/blocking sonware on a 
user/browser server to screen incoming unencrypted dafa to block 

t 

unwanted data content. 

\ 

Preferably the method comprises running the access control software as a 
firewBlf to a database server. Alternatively, it may be run on a firewall of 

i 

an access control server separate to the database server. 



Preferably, the method comprises having a hierarchal structure to the 
dataset labels. This means that some datasets may be considered as 
sub-sets of higher order datasets. so access clearance for a! higher level 
15 dataset may provide access clearance to lower level datasets ijs well. 

Preferably, the method allocates a numerical value to the xfer label and 
the dataset label. Preferably, the values are compared toj determine if 
access is granted or denied. ; 



The user and/or dataset labels may have a huroan-rcadabl^ part (e.g. a 
word or initials indicative of a wo«l so that a human readerjcaji tell what 
it represents without special technical machine-language kno^rledge). They 
may also have a numerical part, which may be the part phe computer 
25 operates on to perform the user labcl/dataset label comparison. 

J 
i 

There may be a pluraUty of human intelligible parts to a us^ label and/or 
dataset label (e.g. words or initials). There may be a pluraHty of 
numerical parts to a user label and/or dataset label. The nimerical parts 
30 and the user parts may have a one to one correspondence. | 
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According to another aspect the invention comprises use of a^y method or 

. X ^v,^. *r;'^*'^nti'^'' rf^diir^ the time 
and/or computer memory required to manage and maintain ^ user-dataset 
5 security clearance/access enabling or denying concordance in ^a computer. 

According to another aspect the invention comprises a net^rk having a 
network access controller in accordance with another aspect of the 
i^venuou. preferably op.ravm£ in accordance with . method; according to 
10 an aspect of the invention. 

j 

According to another aspect the invention comprises a software cairier 
canying access control software which when operational on a computer or 
network either provides the apparatus or network of any other aspect of 
15 the invention, or operates the computer or network according to a method 
of any other aspect of the invention, j 

According to another aspect the invention comprises softwarle which when 
running is capable of providing the apparatus or method of i any aspect of 
20 the invention - 

i 

According to another aspect, the invention comprises a network 
comprising a user-server communicatable with, an access cojitroller; and a 
potentiaUy accessible database comprising a plurality of datasets. each of 

25 which has an associated dataset label: and the arrangement being such that 
in use the identity of a user is communicated to the access frontroUer. and 
the access conttoUer has a user label database of allowable juser identities 
and user labels, each user having an allocated user label sjssociated with 
them in the user label database, and a dataset label databa^. allocating a 

30 dataset label to each dataset potentially accessible vja the access 
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controUer. the controUer being adapted to take a user idei|tifxcation and 
correlate it with a user label, take the user request fo^ access to a 
.pi^iiiec: ir-..M:r,er^ d'.tsset ?xr^ drlermin^ th«» dpt«set label for the 
Identified dataset, and compare the user label and datjaset label to 
determine whether access is allowed or denied, data from, an accessible 
dataset being communicated to the user server. 

The network may have the user browser, communicatable with the access 
controUer, e£ pari of the network sccess controller, but it wiU typically be 
on a separate server. Preferably, the access controUer and jhe potentially 
accessible database are on different physical servers, jpreferably at 
different physical locations. The physical locati<fns may be 
geographicaUy spaced out. preferably by tens or hundreds; of metres, or 
by kUometres. or by tens, hundreds, thousands, tens o^. thousands of 
15 kilometres. Preferably, the access controller is provided in a secure site 
(physically secure site). The database of datasets may bejprovided on a 
database server, which may be a web server. The access controUer is 
preferably provided on another, different, server to that jwhich has the 
database. The access controUer software preferably does |xot run on the 
20 database server operating software. 



There may be an anonymous client present on a server which presents to 
die access control server an aUowable identify thereby t<j» aUow a user 
with no known identity (to the access control server) to coi^unicate with 
25 the access control server via the anonymous client fimction. The 
anonymous cUent may run on the access control server jtself . or on a 
separate server. The unknown user may have their identity known to the 
anonymous client function (but not be recognised as an aUbwable user by 
the access control function). The anonymous cHent may beigiven only low 
(or the lowest) security value user label at the access control server. 



30 
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According to another aspect, the invention comprises a network having a 
dPtr=-rPt-roT,t.i..inp database provided at a Txrst physical jsite. and a 
network access controUer. the network access contrdller hav^^ 
telecommunication means adapted to communicate with the obtside world 
and means commtmicating it with the database \ (preferably 
telecommunication means), the network access controller be|ng provided 
outside of the database server. 



I 



Preferably, the network access controller does not run on ihe operating 
software of the database server. | 



Preferably, the network access controUer is at. near, or «fn. the same 
physical site as the database server. Preferably, the arrangement is such 
that communication with the database can only be achieved from the 
outside world via the network access controller. The network access 
controller may be in a secure location ^thin the first sitcj or near the 
first site (e.g. on the same property). The site may hjive a secure 
boundary, at least for the access controller. Preferably, the network has a 
user browser server, which is preferably provided at a ; second site. 
physicaUy/geographically remote from the first site. I 

i 

By having the network access controller on a different se^er than that 
which has the database, it is possible to have a higher levfel of security 
25 regarding the network access controller, and to avoid possible bypasses of 
the security operation required to gain access to the databasd^ occurring by 
bypassing an access control function running on the same jserver as the 
database, on the same operating software platform. j 
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According to another aspect, a network access controller! is provided 
which is adapted to allow unencrypted access to a datable after an 
cLallcn^o/rcpourr rort5nr bar beer passed by the user, the 
network access controller determining those parts of the dat*ase that are 
5 permissibly accessible by the particiflar user from a cqmparison of 
characteristics representative of the user and characteristics ^jepresentative 
of the part of the database for which access is requested. 1 

The conuolle. preferebly hai £ user identificatioi, to user label database. 
10 or concordance register. The controller is preferably adapteid to compare 
a user label with a dataset label and determine if the security value 
associated with the user label equals or outranks that of the ^ataset label. 

I 

Preferably, the network access controUer is used in conjunction with an 
15 Internet network. The network may comprise a network on ^e worldwide 
web. The database may comprise one or more web pages. land the parts 
of the database may comprise different web pages. j 

Preferably, the network comprises a user browser/server. The user 
20 browser/server may be adapted to run a screening programme to check 
incoming unencrypted data from the accessed database to determine that it 
does not contain objectionable material. The objectionablej material may 
comprise unwanted harmful software, such as viruses. Th^. ol^ectionable 
material may comprise non-aUowed subject-matter detected by an 
25 appropriate snbject-matter search programme. \ 

I 
\ 
1 

According to another aspect, the invention comprises a Jetwork access 
controUer having a user identification database whichj correlates a 
respective user label with each allowable user identificajtion, the user 
30 labels having a hierarchy structure such that user labels [higher up the 
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15 i 
hierarchal structure give clearance for not only their own level of 
clearance, but also lower levels of clearance equival^t to lower 

hierarchal labels. *- ! 

j 

5 Preferably, the user identification database has only oi^ user label 
corresponding to each user identification. 

i 

Preferably, the user identification database is adapted to have the user 
lahBl? npdsted by an Bvthorise.d person such that it is possible to delete a 
10 user identification in the user identification database (or moldify or delete 
the label equivalent to the user identification) so as to deny a user access, 
or modify the level of access that they are allowed (lip or down). 
Modification of the user label mapping to their user j identification 
modifies the access available to a user. 

i 

15 

According to another aspect, the invention comprises a database server or 
carrier having a plurality of datasetSp each of which has a jan associated 
dataset label, the dataset labels having a hierarchal structure with higher 
order labels requiring a higher level of security clearance before their 
20 dataset can be released than lower dataset labels. 

j 

Preferably, each database label has a security value and niodification of 
the security value of the dataset labels modifies the securit3? value of that 
label. Modification of a sectarity label of a higher order hieifarchal dataset 

25 label may modify the security value of data labels that are |dominated by 
it. For example, if there were ten levels of dataset security value labels 
and the security value of level six (or a certain level) was rpduced to that 
of level three (or a lower value), this may in certain confi^irations mean 
that the security values of levels five and four (intermediate values) were 

30 also reduced to that of level three (lower value). This may ie achieved by 
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a single entry operation for each dataset. or a single entry ojperation for 
the entire database. 



1 



Each label (user label or dataset label) may have a plurality jol dxtterenv 
5 components. Each component may be aUocated a numerical j value. The 
numerical values of each of the components of a label may <|etermine its 
overall security value. The numerical values of different cc^ponents of 
the user label may be compared with the numerical values of different 
compoDentf of the dataset label to determine whether access jis denied or 
10 granted. The comparison may be a binary operation. Ther^ may be the 
same number of components to a user label as to the data^t labels, or 
there may be a different number of components- . 

j 

According to another aspect, the invention comprises a way if^ improving 
15 the security of a database in accordance with any of the earlier aspects of 
the invention* 

Another aspect of the invention comprises a way of reducing the time 
taken to alter the security clearance of a user, for example bjj using any of 
20 the earUer aspects of the invention. : 

Another way of looking at the invention is as a method of | reducing the 
time taken to alter the security clearance of a plurality of -datasets in a 
database. 

25 i 

A further way of looking at the invention is as a way of= reducing the 
computer memory required to compare a user identification prith a dataset 
security clearance to determine if access is to be denied or powed to the 
^quested dataset. for example by using any of the earlier aspects of the 
30 invention. ) 



D4-10-99 . 14:55 01.21 456 1368 P. 20 R-S17 Job-591 

0 '98 14:59 FAX 0121 456 1368 BARKER BRETTELL -» UK PAT OFF I2I020 



10 



17 



The reduction in memory required may be in comparisjon with that 
reqriirerl to have, n user identificatioD - dataset look up table with each 
dataset being mapped directly to permissible users. | 

i 

A further way of looking at the invention is as a way of red^icing the time 
and/or computer memory required to add additional users to a list of 
aUowable users (or to delete users, or modify the security cljearance of the 

existinfj users) . 



Another way of looking at the invention is a way of • reducing the 
bandwidth requirement for transmission of access-contrblled data to 
achieve a certain data rate; and/or a method of measuring the speed of 
transmission of access-controlled data with a given bandwidth; and/or a 

15 way Of transmitting access-controUed files using lower! specification 
computer/telecommunications equipment (compared with thk transmission 
of encrypted data at the same data rate). 

It will be appreciated that various aspects of the invention ai« described in 
20 relation to either software per sc. a carrier carrying softw^e, a method, 
apparatus (e.g. for use with a network), or a network itself. Each of the 
concepts of the statements of invention can be applicable to each of the 
species of claim type mentioned, and specific protection fpr each of the 
species in relation to each of the concepts is required. 

25 j 

There_now follows, by way of example only, a description of the 

invention with reference to the accompanying drawings of 'v^hich: 

J 
I 

i 

Figure 1 shows a Mock diagram of a computer network running the 
30 security arrangement; | 
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Figure 2 shows a block diagram showing the access process for a 

j 

5 Figure 3 shows a flow diagram of the operation of the computer 

network; ! 

1 

I 

Figure 4 shows the Internet . prior art way of mapping user 

ide.rititief. to escb potePtfaJly accessible detasetr 

10 • . i 

Figure 5 shows the present user identification to user label, and 

i 

dataset identification to dataset labels mapping, and the user label 
to dataset label comparison; and 

15 Figure 6 schematically shows the comparison between a user label 

and a dataset label. 

; 
1 

The computer network shown in Figure 1 comprises a computer system, 
in this case a web server 2, containing datasets (in -diis case jweb pages 4) 
20 to which clients may which to have access. This weU server 2 is 
connected via any known network link to a further computer system 6 
running a proxy server 8 which has access to an access control list 10. 
To gain access to the web server 2 communications must pass through the 



25 



proxy server 8. I 

A computer 12 can be connected to the proxy server 8 via any known 
communications link 14. On the computer 12 there are running at least 
two separate processes: some network access software (in tliis case a web 
browser) 16. and some client software 18 which tailors communications 
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19 ; 
for the proxy server 8, The client software 18 has ! access to a 
certificate 20 (an X.509 certificate) held on the computer 12^* 

As will be noticed from the preceding paragraph it is necessary to have 
S the necessary client software 18 and certificate 20 in order; to access the 
web server 2. However, in some circumstances, as will; be discussed 
hereinafter, access may be provided for a computer 22 running the 
necessary access software 24 (in this case a web browser); In order to 
achieve thLs the necessary client software 26 and certSficate 28 are 
10 provided on the computer system 6 running the proxy \ server. By 
cozmecting through a connection 30 it is possible for the computer 22 to 
access the web server 2. 

i 

Each piece of information held on the computer system 2 ;has a security 
15 level (or dataset label) associated with it. In the case of ^ web server a 
security level is assigned to each web page. To access any particular page 
the client must have an appropriate access level (or user label) assigned 
to their certificate (the certificate being used to identiiy tllat a particular 

client is indeed who they claim to be) « | 

I 

20 j 

In one embodiment there exists security levels in order) of restriction: 
unclassified, restricted, secret- A client having permiskion to access 
secret data can access any of the data, whereas a client having permission 
to access only unclassified data can only see data at this level. Each of 

25 the pages held on the web server 2, 4 is assigned, tasing an HTML meta 
tag. a security level (i.e. imclassified. restricted, secret) »d only people 

having appropriate clearance will be provided with access to that page. 

i 
1 

The access level of a particular client is determined by thej proxy server 8 
30 in conjunction with the access control list 10. Once thfe identity of a 



I 
I 
I 
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20 I 
Client has been confirmed, as described hereinafter, the prj>xy server 8 
controls which pages held on the web server 2 can be accejssed by that 
^j,^;^„i^r ^Ijent. Pen«use all communication must pass through the proxy 
server 8 it is more secure than systems which provide access control on 
5 the same computer system that is running the web server 2. iFor example 
hackers may be able to exploit loop holes in the computer : system as a 
whole, e.g. the operating platform software, to access datai; held on the 
web pages and thus by-pass the access control. If the operating software 
of the dstabESe server is well-kno^-n. e.g. NT or another widely-available 
10 commercial software, there may be a lot of people who know a lot about 
the software structure and who might know loopholes. 

I 
I 

The X.509 certificate wfll generally hold a distinguished name which wiU 
probably show that the client is a member of a country, state (e.g. 
15 Dlinois. or Warwickshire), location (e.g. address). ! organisation, 
organisational unit, common name. Each of these elements, and 
combinations of them, may be a means of identifying grot^js of people, 
not aU elements of a distinguished name in the certificate need to be 
completed, for example a distinguished name may be:- 



Country — GB. 
Organisation = The Zoo, 
Organisational Unit = Elephants, 

Common Name = Mark. j 

i 

In this distinguished name. Mark is a member of the foUowibg groups: 

People from Great Britain. | 
People from Great Britain who work for 'The Zoo*. 
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People from Great Britain who work for 'The Zoo' in tl^e Elephants 

I 

department. I 

P,..3^ f^r^^ r,re«t Britain who work for 'The Zoo" in tl?e Elephants 

department and are called Mark. ; 

i 

The State and Location elements have not been completed. • 

Now that the server knows which groups Mark belongs to. jit can check 
the rrresF c.or,trol lisT to see if there are any user label entries that match 
Mark's credentials. There may be any number of entries that match, and 
each entry wUl have a user security label associated with it. Each element 
of the distinguished name may map to a user label (or a cjorresponding 
element of a user label). In a user label library or register there does not 
necessarily have to be a user label for each element of the idistinguished 
name, but there may well be. The Web page itself will! also have a 
dataset security label associated with it. If any one of the <iUenfs labels 
is of an equal or greater security value than the Web page label, then 
Mark should be allowed access to it. If not. or if there are no matching 
entries, then clearly he should be denied access. 



The invention assumes that there is already some mfechanism for 
requesting and issuing X.509 certificates, and that this: is a trusted 
process. The pubUc certificate of the issuing Certification Ai>thprity is in 
the example present on the same computer as the proxy Setlver 8. and the 
25 pubUc certificate and associated private key of the client is jn the example 
present on the same computer as the client software 18. | 

f . 
: 

The cHenfs web browser must be configured in such a wa^ that it points 
to the IP address and port number of the client proxy / client software 18 
30 and all web page requests go via this proxy. The client pr^xy 18 must be 
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configured so that it points to the proxy server 8. and the pr^xy server 8 

must be configured so that it points to the Web server 2. ! 

f 

As shown in Figure 3. as the client issues a web page request; 50 from the 
5 web browser, the client software 18 wiU convey 52 this, unalkered. to the 
proxy server 8 which will convey 54 it. unaltered, to the web server 2. 
The web server 2 will generate a bttp response 56 after accessing the web 
pages 4. Upon receipt of the Web server's response, and jssuming the 
requested page exists, the proxy server 8 will generate a string of random 
10 data and pass this, along with a request for the client's certificate 58 to 
the client software 18. The dient software 18 will then sign the random 
data using it's private key, and pass the signed data and it's X.509 
certificate (as stored in the cUent certificate store 62) back |to the proxy 
server 8. as shown at 60. The proxy server 8 wiU then perform a number 
15 of checks as outlined in box 64. It wiU take the public ijcey from the 
certificate of the issuer of the cUent certificate, and use this ^o verify that 
the client certificate has been correctly signed by the issucir 66. It will 
then check that the time period of the client certificate has n(?t expired 68. 
Next, it will take the public key from the cUcnt certificate a|id verify that 
20 the random data has been signed correctly 70 and that the r^dom data is 
the same data that the proxy server 8 issued 72. It then jcompares the 
X.509 distinguished name within the client certificate agaipst entries in 
the Access Control List 74. Assuming all of the abovej checks have 
passed successfully, the proxy server 8 will compare the isecurity label 
25 associated with the client entry in the Access Control List w^th that stored 
- in the HTML source code of the requested Web Page, if the client's 
security label dominates 76 that of the Web page then the j Web server's 
original response is conveyed (as shown at 78). unaltered, back to the 
cUent software 18 (as shown at 80) and then to the web broWscr 16 where 
30 it is displayed 82. If any of these checks fail at any time, and access 



f 

I 
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denied web page is returned, stating the reason for the deMal. 
denials are shown by the boxes 84 to 94 in Figure 3- 

1 



These 



The possible reasons for the denial include: an invalid ceniiicaxe 
response 84. 86. 88, an incorrect signed data response 90. jio matching 
record found in the access control list 92. or there is insufficient security 
clearance 94. A message containing the reason is passed back via the 
client software and displayed on the web browser. 



10 



15 



20 



25 



The access control list is held in a database with a from end jthat prevents 
any alterations being made to the design of the database, andjmay take the 
form outlined below. 



Country 



GB 



GB 



US 



US 



Oreaiusatian 



*TbeZoo' 



WWF 



WWF 



Organisational 
Unit 



Zoo Research 



Zoo Research 



Common 
Name 



Alvin 



• Labd 



Security 
Marking 



Medhna 



Medinm-High 



Medium 



As shown in Figure 1 two paths of access to the proxy server may be 
provided (via the cKent software 18 and via the link 30 hjy-passing the 
cHent software 18). Access via the Jink 30 may be used to! aUow people 
to make "anonymous" access to the system or for people who do not have 
the necessary cUent software 18 on their computer 22. Of ^oorse, it wiU 
be realised that if the necessary cUeot software 18 is not i^ing that it 
wiU not be possible to verify the identity of the client and jthat therefore 
the security method described herein will not be appUcable. In such 
circumstances it would generally be appropriate for cUents: accessing the 
proxy server 18 without the client software 18 to be givenj the minimum 
level of access. For instance in the example given abcjve it may be 
applicable to give such a client only access to unclassified ^eb pages (and 
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thus prevent them from accessing restricted or secret web pages). Such a 
scheme would be reaHsed by providing an entry in the access control list 
^^^zrrninr tbp approTiriBtp security marking someone without a certificate 
or who is accessing the proxy server 8 anonymously. ' 

5 ! 

As well as the client software 18 and the web browser 16 it is necessary 

to run a client software configuration program on the computer 12. This 

program configures the client software 18 and provides functions such as 

Ellowinr the IP sddresr sn6 port number of the proxy server 8 to be 

10 provided. It should be noted that as shown in Figure 1 I two paths of 
access to the proxy server may be provided (via the cUent software 18 and 
via the anonymous Unk 30 by-passing the dicnt software iS). If a cUent 
accesses the access controUer anonymously, with no j identification 
certificate, their browser will send requests for web pagejs through the 

15 anonymous client 26. It may be desirable to have a separsjte address for 
different proxy servers, but in the present embodiment thd configuration 

programme has only one. i 

j 

In addition to the proxy server 8 and tlie access conjtrol list 10 a 
20 configuration program must be run on the computer system 6 which 
allows the IP address and port number of the web server 2 to be stored. 
The confxguration program also aUows a default security environment to 
be set. The default security environment is the security level assigned to 
a web page if no label is present- This may be the highest level of 
25 security (so that only the highest security users can see it). | 

: 
! 

Also required on the server side (i.e. running on the computer system 6 or 
on the web server 2) is required a file labeller which inserts roeta-tags of 
the correct format on to the web pages. The file labeller cbn be provided 



! 
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with utilities which may aUow any number of pages to be labfcUed at once 

which provided convenience for operators of the system. J 

i 

As explained hereinbelore a more senioi access ievdi uccti:ss vo sccit; 
data) will give access to less senior access levels (but not! visa versa). 
This is based on the domination theory outlined in mathematical graph 
theory and may be implemented using a Unified Labelling ^cheme ULS 
wherein a code is assigned to each access level. The codes !may then be 
compared using simple mathematical operations such as NOT; and AND to 
determine whether or not a user is entitled to access a particuiai access 

level. i 

i 

The data from the web pages is transmitted over telecommunication 
lines/e.m. tetecommunication lines in compressed fotmat . (unencrypted 
15 data compressed). It may be compressed by the web server. | If the access 
control server is close the web server, this may compress| the data (or 
some other computer may). The data received by the user's server is 
decompressed before it is displayed for viewing (and/or siorage by the 
user). Alternatively, the data may be stored compressei at the web 

20 server. ■ 

I 

i 
I 

A comparison between the structure of a prior art security biethod (SSL) 
and of the method of the current invention is shown in Figures 4 and 5. 
As can been seen in Figure 4 each dataset 100 has to contafn a list of all 
users 102 that can access that piece of data. There must therefore 
effectively be a virtual connection 104 between each piece; of data and a 
user if that user is allowed access. Not all the possible 1^ have been 
shown in Figure 4 for simplicity. 



04/10 '99 15:01 FAX 0121 456 1368 BARKER BRETTELL LTK PAT OFF ®029 



: 

As can be seen from Figure 5 the structure according to the present 
invention is simpler. Some users 106 are provided with respective user 
J«belF 108 and each dataset 110 is provided with a dataset label 112. 
Once an access to a particular dataset 110 has been requested by a 
5 user 106 a comparison process 114 compares the user label! 108 with the 
dataset label 112 to determine whether or not access can be allowed, 

i 

It is not necessary for every user to be given an individual user label in 
the. permisFionf^ table/library or register of user labels. Their 
10 distinguished name may itself provide clearance to a predetermined level 
(e.g. restricted, or tmdassified), with no user-specific clearance being 
specified. The X-509 Certificate is user specific. The perinissions table 

does not have to be whole groups or sets of users can [be given one 

I 

clearance. i 

15 

Figure 6 shows one embodiment of the comparison process 114. wherein 
the user label 108 comprises a number of sub levels (U1.;U2. U3, U4). 
The da::aset label 110 also comprises a number of sub levels 
(Dl, D2. D3, D4). However, the skilled person will appreciate that there 

20 could be any number of sub levels provided in the labels. 108, 110 and 
that the number of sub levels within each label do not neejd to be equal. 
Each sub level within a label 108. 110 is assigned a numerical value 
(which may be binary, hexadecimal, or any other numbeir base). The 
numerical value in compared using standard mathematical qperations such 

25 as AND and OR and the result of this comparison is use^ to determine 
whether, of not the user label 108 has s^ufficient authority tojgain access to 
the data having the dataset label 110. j 



In one embodiment the dataset label 110 comprises two kub levels and 
30 these sub levels interact to provide the overall security ievel. In this 
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en^bodiment a first sub level of the dataset label contains tpe levels a. 
given as an exaxnple above: unclassified, restricted, secret. | The second 
.... vv.. ror,t.;T, .r,v Other identifier, for example apple. i,ear. etc. It 
is the combination of these two sub levels which gives ihe overall secux^iy 
level. For instance a combination of secret.apple may well have a higher 
security level than secret. ; 

It will be appreciated that two significant aspects of one invention is the 
lebrlhnp of the c3ier>i end the web page. The comparison I of these two 
quantities forms the basis of the access control decision. ; and provide 
authenticated web access control. The technique and ha«|dwa« works 
independently of certification authorities and directory servers, and can be 
utiHsed by any web browser and web server without | altering the 
functionaHty of those entities. Control of the network accbss controller 
can lie entirely in the hands of a private company or pe^on who can 
control the contents of the user labels and dataset labels, and the 
hierarchal control database themselves. Thia system also provides 
scalabOity in its use of grouping users by elements of distiuguished name 
(user labels) and mapping this to a particular security ijating (dataset 
label). Groups of cUents can have their access rights detebnined by the 
elements of the distinguished name in their user label.: The X.509 
Certificate, or other user-identification certificate, could fotjm the basis of 
some of the sub-label regions within the user label for each jiser. 

I 

25 In the specific example given there are four server-side applications 
(server proxy, server proxy configuration, permissions pijogramme. and 
file labeller) and two client-side appUcations (<SUent prcjxy and client 
proxy configuration programme). j 
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The file labeller may allow multiple selections of web pajges (or other 
datasets) so that a securi^ administrator can easily label many pages at a 

time, ! 

5 A permissions programme maps elements of distinguished names to 
security labels and may be a table within an access databascj, with a front 
end that prevents any alterations. 

The server proxy configm-ation writes information to the system registry 
10 used by the access control server. It also sets the dejfault security 
environment controlling what happens if a requested web jiage does not 
contain its own security label. ; 

! 

The access control server is in the example given of proxy; which passes 

j 

15 web page requests onto the web server and verifies using jpublic/private 
keys that the request from the client's server has been signed correctly. If 

a client is denied access to a page» the access control server may inform 

I 

the client of the reason why. 

i 

20 The client configuration proxy on the client's computer stores the Internet 
protocol (IP) address and port number of the access control server to 
which the client server connects, and the IP address and pprt ntunber of 
the www proxy, which will allow the client to use the fiitemet in the 
normal fashion, by-passing the access control server. It may also allow 

25 the client to specify which particular certificate would l^e used for a 
particular attempt to access a dataset via the access control sjerver. 

i 
i 

The client proxy is a proxy on the client's server that recei^jes a web page 
request from the client web browser and passes it to the iaccess control 
30 server or the www proxy. If it has been sent to the access jcontrol server 
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29 ! 
it will receive a request for the X.509 Certificate and somej random data 
in return. It will then sign the random data with its private jkey and send 
1he riaT« and the Certificate back to the access control server. i 



I 



30 



In practice, the owner of a database may have the database ijerver and the 
access control server under their control, possibly on tbe^ property/in 
their buildings- They would keep and maintain the user Sabel database 
and the dataset label database. A cUent/user would have thel client server 
(for e^Bmple Internet browser), and would have the software to run the 
cUent proxy and cUent configuration proxy. This software may be 
provided to them, for example by the database owner. It msjy be provided 
on a machine-readable data carrier (e.g. magneUc or optical disc, a tape. 
^EPROM/ROM etc.) or it may be provided electronically (e.g. via a 
telecommunication link as an electrical signal or an e.m. sigial). 

It will be appreciated that any aspect of the present inventi<in can be used 
in conjunction with any other aspect, and that the preferable features of 
any aspect may also be appUcable to the other aspects of thd invention. 

I 
I 

The authenticat web access control system discussed is j far easier to 
maintain and update. A maintenance manager has in the prior art website 
access control system to alter the allowable access identities on each web 
page to remove or add an allowable user. This -can be very 
time-consuming if there are hundreds or thousands of web|pages. In the 
new system, they simply add a new user label, or delete a|i existing user 
-label from the directory of user labels (or break the correlation between 
identified user and their associated specific user label). 

\ 
J 

: 

Similarly, if an entire category of web pages were to hav^ their security 
access level changed (for example because a secret proj^t had become 

i 



04-10-99 14:55 0121 456 13EB P. 33 R-9ir Job-531 

04/10 99 15:02 FAX 01 21 456 1368 BARKER BRETTELL ■* UK PAT OFF ©033 



30 

pubUc/was to be made public), the maintenance manager can change the 
labels for those web pages to give them a lower security] value. The 

f?r thrr jrlnhnllv in t>i*» rtnTn^et label register by. 



for example, putting all dataset labels with -orange" in 
5 lowest, (e.g. unclassified) level if "project orange" was now 
may be achieved by the hierarchal nature of the dataset 
manager may be able to enter an "orange label element to; 
value" control command which may search the database labels and alter 
the secuiiiy value of eecb label ^I'th "orEnge" in it to b low value, or alter 
10 Aat "orange" component of die security label to a low value J 



them to the 
public. This 
labels. The 
low security 



The benefits of the present invention are best brought out in llarge systems 
with many users and/or many potentially accessible datasets. There may 
be of the order of hundreds or thousands of permissible u^ers. or more. 

15 There may be of the order of thousands, tens of thousands dr hundreds of 
thousands (or more) of datasets or web pages potentially accessible. 
There mi^t be more than one secure web server (database servers) on the 
network. The access control server may have different iaddresses for 
different web servers and know which one to address for s request for a 

20 particular dataset (web page). ■ 



i 
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claims' 



1. A jnethod of securing data held on a computer networic comprising 
labelling daiasets with an access datasei labels, oeveniiinmfe uit acccii 

5 level to which a user wishing to access a dataset is allowed j to access by 
allocating users a user label and determining in the user labejl the level of 
access to be granted, and determining the user's identity and comparing 
the appropriate user label with the dataset label and allowing access only 
to datasets which have an dataset label access levels equal! to or lower 

than the user label access level. \ 

I 

I 

t 

2. A method according to claim 1 which comprises U method of 
controlling access to data held on the Internet. 



3. A method according to claim 2 which comprises 
controlling access to web pages on the worldwide web. 



ia metbod of 



30 



4. A method according to claim 2 or claim 3 comprising jproviding the 
web page access levels, or dataset labels, as meta tags withp the HTML 
code of a particular web page. j 

5. A method according to any preceding claim in which - a user server 
and access controller server perform a challenge-response exchange before 
aUowing access to those datasets for which the user is cleared for access, 
the access when pennitted being unencrypted. j 

6. A method according to claim 5 in which the user | server has a 
public axid private key and signs a challenge from the access control 
server with its private key in returning the response to the access control 
server. 
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7. A method according to claim 5 or claim 6 in which the access 
control server generates random data as part of its challenge and checks 
that the response from the user server has properly transcribed the random 
data with the correct private key. 

i 

h method according to ajoy one. of claim? 5 to 7 in which the user 
server runs data checking software to prevent conununicatio^ of unwanted 

i 

data. j 



9. A method according to any preceding claim in. whi<^b there are a 
pluraUty of user labels with a hierarchal structure, labels inlthe user label 

15 hierarchy providing access to datasets which require security to their level 

I 

and below. j 

i 

10. A method according to any preceding claim in which the dataset 
labels have a hierarchal structure. 



30 



11. A method according to any preceding claim in which ^e user labels 
are allocated a numerical value and the dataset labels ai-e allocated a 
numerical value and the numerical values are compared; to determine 
whether access is denied or granted. 

12. A method according to any prcsceding claim in whicli the dataset is 
provided on a database server and user identification and associated user 
label allocation and user label - dataset label comparison isj performed on 
a separate server* I 
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13. A method according to any preceding claim comprising using 
specific access-control software for detennining access to datasets in 
rtHtabase and also using standard network access software (provided for 

accessing the network. j 

I 

i 

14. A method according to claim 13 comprising using a jwcb browser 
and a web server. ! 

15. A method according to any preceding claim comprising providing 
Uie database on a database server and access control software on a 
separate access controller server. 

i 

16- A method according to claim 15 which comprises providing user 
access request software on a user server, separate from the! database and 

15 access control servers, ; 

17. A method according to claim 13 or any claim depend^t directly or 
indirectly from claim 13 in which the specific software pi-ovides proxy 
servers which communicate with the standard network access software. 



18 A method according to claim 17 comprising having; proxy server 
software on a web browser. ^ 

19. A method according to claim 17 or claim 18 comi^-ising running 
proxy access controller software on either the server that h^s the datasets. 
or on a different server. 
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20. A method according to claim 19 in which web pages aire stored on a 
web server and the proxy access control software is run dn a different 

server. i 

i 
i 

5 21. A method according to any preceding claim in whicb the dataset 
labels have a hierarchal structure. 

22. A method according to any preceding claim in which the user labels 
have z ntmieric?J value and the dataset labels have a numerical value and a 

10 comparison of the numerical values of a user label and a: dataset label 
determines whether access is granted or denied. j 

23. A method according to claim 22 in which the comparfson is to see 
whether the user label numerical, value is greater than, less lihan. or equal 

15 to the dataset values. 

\ 

24. A method according to claim 22 or claim 23 in which jthe user label 
and/or dataset label have different sections each with a numerical value 
and a comparison of the labels compares the different sections of the user 

20 label with respective corresponding sections of the dataset label. 

25. A method according to claim 24 in which only if all section 
comparisons result in section clearance is access to the dataset provided. 

i 
1 

25 26. A method according to any preceding claim in w^ich the data 
transmitted to a user from the dataset is compressed for trani^ission. 

27. A method according to any preceding claim in whidh there are a 
plurality of dataset servers on the network and an access conjtroller directs 

i 

i 
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enquiries for data to the appropriate dataset server after it determined 
that access to the dataset requested is permitted to the user inSquestion. 
28. A computer-readable medium having a programipe recorded 
thereon in which the programme causes, in use. a compuiei.; runmng tat 
5 programme to execute procedure to determine whether acces^ to a dataset 
is to be granted or denied by retrieving a user label correspond to a user 
identity, retrieving a dataset label corresponding to the datasck for which a 
user has requested access, and comparing the user label and! dataset label 
to provide access to data in the datasets which have dataset label access 
10 levels equal to or lower than the access level ol the user jlevei. and to 
deny access to datasets whicih have a higher access level jhan the user 
label access level. 

j 

29. A computer-readable medium according to claim 26 ^id adapted to 
15 cause, in use. when run on a computer the computer tol perform the 

mediod of any of claims 1 to 27. 

30. A computer programme element or product adapted to cause a 
computer loaded with the computer programme element ank running the 

20 programme to perform the method of any of claims 1 to 27. • 

i 

31. A computer programme element or product accordinjg to claim 30 
embodied as a computer-readable medium. 

I 

I 

25 32. A network access controUcr. comprising a comparator, which is 
adapted to compare a label representative of a dataset and a label 
representative of a user, and to determine from the coropjirison whether 
the user is authorised to have access to the dataset. the codiparator being 
adapted to communicate with access control means adapt^ to aUow or 

j 

1 

I 
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deny a user access to the dataset dependent upon the commuiiication from 
the comparator. 

33. A controller according to claim 32 which is adapted to compare a 
5 nimierical value associated with the dataset label with a numerical value 

associated with the user. 1 

I 
1 

34. A controller according to claim 32 or claim 33 in which the 

numerical vaJvBr p-re binary vsluei? and the comparator uses 'one or more 
10 simple binary logic operations to make the comparison. : 

35. A controller according to any one of claims 32 to 34 jwhich has an 
access control directory having a concordance between user identities and 
user labels. j 

15 \ 

36. A controller according to any one of claims 32 to 351 in which the 
comparator has a registry of concordance between dataset identities and 
dataset labels. 

i 

20 37. A controller according to any one of claims 32 to 36 iwhich has an 
anonymous client function adapted to allow users who have no recognised 
identity to the controller to access a network via the controller, as the 
anonjrmous client, with an access label/level determined by the 
anonymous client fimction. j 

25 ! 

38- A method of controlling network access to a database held on a 
' database server and having a plurality of datasets. the method comprising 

allocating each potentially accessible dataset a dataset label; allocating a 
user a user labels and comparing the dataset label and fiser label to 
30 determine whether the user can access the dataset. \ 

i 
I 

I 
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39. A method according to Claim 38 which comprises providing an 
«nce5S controller which controls access to the database, and providing the 
user labels in the access controller. 



40. A method according to claim 38 or claim 39 inj which each 
aUowable user has a label associated with them and the usler labels are 
hierarchal, with higher security clearance user labels domjnating lower 

iPvel security user labels and providing access to dataset^ of equal or 
10 lower security level or value. 

[ 

41. A method according to any one of claims 38 to 4|o comprising 
providing an access control server, and a database server|and running 
access control software on the access control server, and not the database 

15 server* ! 

i 

42. A method according to any one of claims 38 tj> 41 method 
comprising the unencrypted transfer of data from datas4ts for which 
access is granted to a user. 

20 \ 

43. A method according to claim 42 comprisling running 

checkingA)locking software on a user/browser server to screen incoming 
unencrypted data to block unwanted data content. • 

25 44. A method according to any one of claims 38 to 43 comprising 
running the access control software as a firewall to a dataljase server, or 
on a firewall of an access control server separate to the database server. 



30 



45. A method according to any one of claims 38 to 114 comprising 
having a hierarchal structure to the dataset labels so that "some datasets 
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may be considered as sub-sets of higher order datasets, ; with access 
clearance for a higher level dataset providing access clearapce to lower 



level daiastts <a.b well. 



5 46. The use of the method of any preceding claim to reduce the human 
data-input time and/or computer memory required to manage iand maintain 
a user-dataset security clearance/access enabling or denyingj concordance 
ix} E computer; or to reduce the bandwidth requirement for i a given data 
transfer rate, or to increase the speed ol oaia transmission at a given 
10 bandwidth, or to achieve a given data rate using a lower ; specification 
computer and/or telecommunications equipment. 



47, A network comprising a user-browser, an access controller, and a 
potentially accessible database comprising a plurality of datasets. each of 
15 which has an associated dataset label, and the arrangement being such that 

I 

in use the identity of a user is communicated to the access controller, and 
the access controller has a user label database of allowable i^scr identities 
and user labels, each user having an allocated user label associated with 
them in the user label database, and a dataset label database, allocating a 

20 dataset label to each dataset potentially accessible vi4 the access 
controller, the controller being adapted to take a user iderttification and 
correlate it with a user label, take the user request forj access to a 
specified identified dataset and determine the dataset llabel for the 
identified dataset, and compare the user label and dataset label to 

25 determine whether access is. allowed or denied. 



48. A network according to claim 47 which comprises an Internet 



worldwide web network, with the dataset comprises web pages. 
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49. A network according to claim 47 or claim 48 ha^ng its user 
browser communicable with the access controller, as part ot the network 
access controller, or on a separate server. 

5 50. A network according to any of claims 47 to 49 in whifch the access 
controller and the potentially accessible database are on diff^ent physical 

i 

servers at different physical locations. 

i 
} 

51, A network having a data-set-containing database provided at a first 
10 physical site, and a network access controller, the network access 
controller having telecommunication means adapted to comx^uxiicate with 
the outside world and telecommunication means conununicatiijiLg it with the 
database, the network access controller being provided outside of the 
database server. ; 

15 . j 

52- A network according to claim 51 in which the network access 

controller does not run on the operating software of the databkse server. 

I 

! 

53- A network according to claim 51 or claim 52 in which the network 
20 access . controller is at, near, or on. the same physical site asi the database 

server. 



54- A network access controller having a user identification database 

t 

which correlates a respective user label with each al]l|owable user 

r 

25 identification, the user labels having a hierarchal structure skich that user 
labels higher up the hierarchal structure give clearance for ^ot only their 
own level of clearance, but also , lower levels of clearance iequivalent to 
lower hierarchal labels* 

; 

/ 

! 
1 
■ 

j 

; 
1 
I 

! 

: 

i 
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55. A network according to claim 54 in which the user identification 
database is adapted to have the user labels updated by jata authorised 

ycxhcii tv.ci. tL::t it possible tc {^clrir •ir'^r ^r*!^nTff7cn■^^^>:^' in the user 
identification database (or modify or delete the label eqmvale^it to the user 
5 identification) sa as to deny a user access, or modify the leVd of access 
that they are allowed (up or down). 

j 

56. A network according to claim 54 or claim 55 in which a database 
server or carrier h&s a piuiality oi daiasets, each of Which has an 

10 associated dataset label, the dataset labels having a hierarc^al structure 
with higher order labels requiring a higher level of security clearance 
before their dataset can be released than lower dataset labels.' 

57. A method of reducing the computer processing jtime and/or 
15 computer memory necessary to provide authenticated access control to 

i 

datasets of a database, the method comprising: aUocatin|g datasets a 
dataset label, authenticating whether an apparently identifi^ tiser is an 
authenticated user by a challenge/response protocol, or ^ther means, 
having a corresponding user label for each authenticated userj identity, and 

20 comparing the dataset label of a user-requested dataset with the user label 
to determine whether access is to be denied or granted, the idataset being 
transmitted tmencrypted if released, the reduction in prqcessing time 
and/or memory requirement being in comparison with a sysltem in which 
each dataset has an associated list of allowable user identities and the 

25 computer checking the specific identity of the user against the allowable 
list on each requested dataset. and the dataset being transmit|;ed encrjrpted 

if released. \ 

] 

i 

58. A method of updating a computer database access coiitrol program 
30 or system, the method comprising having user labels associated with 
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identified users, dataset labels associated with datasets of t»»e database, 
and having the user labels and/or the dataset labels have kn associated 
security value, updating of access control being performed by one or more 

s 

of: ; 
5 (i) adding or deleting a user and/of user label and/or the seciirity value of 

a user label; j 

(ii) modifying the security value of a user label; j 

(iii) adding or deleting a dataset and/or dataset label and/or dataset label 
security value: i 

10 (iv) modifying the security value of a dataset label. 

i 

59. A network access controller substantially as described herein with 
reference to the accompanying drawings. 

15 60. A network substantially as described herein with reference to the 
accompanying drawings. 

i 

61. A me^od of controlling access to networked data stibstantially as 
described herein with reference to the accompanying drawings. 

i 

20 ! 

62. A method of reducing the human time taken tO| manage and 
maintain a user/dataset access control database substantiaUy as described 

herein, \ 

\ 

25 63. A software carrier carrying access control softwar^ which when 
operational on a computer or network either provides thej apparatus or 
network of any preceding claim, or operates the comput^ or network 
according to the method of any preceding claim. | 

i 
I 
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64. A computer product or programme element which w6en operating 
on a computer causes the computer to execute procedure }o perform a 

network access controUer or network according to any preceding process 
controller or network claim. 

65. Software which when runxung is capable of providing the 
apparatus, network, or method of any of clainas 1 to 62. 
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I 

ABSTRACT 

I 

t 

7MPWOVF.MENTS RBI^ATINO TO SECURITY 

: 
I 

5 A method of securing data held on a computer network comprising 
labelling datasets with an access dataset labels, determiniijg the access 
level to which a user wishing to access a dataset is allowed; to access by 
allocating users a user label and determining in the user labe^ the level of 
Eccesf TO he granted, and determijnm|j the user'? i6e.Titity' a:bd comparing 

10 the appropriate user label with the dataset label and allowing access only 
to datasets which have an dataset label access levels equal, to or lower 
than the user label access level. This method is partictdariy relevant to 
Internet applications in which the datasets comprise web fiages and the 
method is used to determine whether or not users can access particalar 

15 pages. I 

To be accompanied » when published, by Figure 5 of the draiwitigs. 

I 
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